<!-- Start Instructions -->
<h1>How To Work With WebGoat</h1>
<p>
Welcome to a brief overview of WebGoat.<br> 
</p>
<h2>Environment Information</h2>
<p>
WebGoat uses the Apache Tomcat server but can run in any application server. It is configured to run on 
localhost although this can be easily changed, see the "Tomcat Configuration" section in the Introduction. </p>

<h2>The WebGoat Interface</h2>
<p>
<img src="images/introduction/interface.png"><br><br>
1. Lesson Categories in WebGoat. Click on a Category to see specific Lessons.<br>
2. This will show the underlying Java source code.<br>
3. This will show the complete solution of the selected lesson.<br>
4. This will show goals and objectives of the lesson.<br>
5. This will show technical hints to solve the lesson.<br>
6. This shows the HTTP request data<br>
7. If you want to restart a lesson you can use this link.</p>
<h2>Solve The Lesson</h2>
<p>
Always start with the lesson plan. Then try to solve the lesson and if necessary, 
use the hints. The last hint is the solution text if applicable.  If you cannot solve the lesson using the hints, you may view the 
solution for complete details.</p>

<h2>Read And Edit Parameters/Cookies</h2>
<p>
To read and edit parameters and cookies you need a local proxy like OWASP ZAP to intercept the HTTP request.
 More information on ZAP can be found in the "Useful Tools" section in the Introduction.
</p>

<h2>Configuring new WebGoat users</h2>
<p>
WebGoat uses spring-security.xml to configure users.
<br/>
  <pre>
&lt;!-- Authentication Manager --&gt;
&lt;authentication-manager alias="authenticationManager"&gt;
  &lt;authentication-provider&gt;
    &lt;user-service&gt;
      &lt;user name="guest" password="guest" authorities="ROLE_WEBGOAT_USER" /&gt;
      &lt;user name="webgoat" password="webgoat" authorities="ROLE_WEBGOAT_ADMIN" /&gt;
      &lt;user name="server" password="server" authorities="ROLE_SERVER_ADMIN" /&gt;
    &lt;/user-service&gt;
  &lt;/authentication-provider&gt;
&lt;/authentication-manager&gt;  
  </pre>
</p>
<h2>Adding Users</h2>
<p>
Usually WebGoat only requires logging in with the user:guest and password:guest.
 But maybe in laboratory you have made a setup with one server and a lot of
clients. In this case you might want to have a user for every client,
 you will have to alter /WEB-INF/spring-security.xml to add additional users. <b>We recommend not to use real passwords 
as the passwords are stored in plain text in this file!</b>
</p>
<h3>Adding a new User</h3>
<p>
Adding a user is straight forward. You can use the guest entry as an example. The added
users should have the same role as the guest user. The new user/password will not show on the login page. 
Add lines like this to the /WEB-INF/spring-security.xml file:
</p>
<pre>
&lt;user name="guest2" password="guest2" authorities="ROLE_WEBGOAT_USER" /&gt;
...
</pre>
<!-- Stop Instructions -->
